fedorafandomcom-20200214-history
SSH
Secure Shell Software Suite Secure Shell also known as ssh is an encrypted data transfer technique. This technique is used in three ways. First and most common use is a secure remote connection to a system to have terminal access remotely. This function is known as ssh and is the first thing that comes to many peoples minds when ssh is mentioned. The second most used function is Secure Copy also known as scp. The third and final function is Secure File Transfer Protocol also known as sftp. There are two forms of Secure Shell. The first is the actual ssh software developed by SSH Communications Security. The second is openssh using the BSD license. However, some of the components use different licenses that are even more allowing and forth coming in the distribution aspects. The ssh that is included in Fedora and every other Linux distribution is openssh. Secure Shell When using Secure Shell all traffic from the origin to the destination system is encrypted in with an encryption technique that so far has not been cracked called asymmetric cryptography. GUI applications can be forwarded through the encryption tunnel as well. This aspect is called X-Forwarding. The overall concept is rather simple to understand, however the details are very complicated. In this document the simple and more mundane aspects of Secure Shell will be handled. Basic Very basic Server and client configuration. This may not be the most secure way however it is functional and still more secure then telnet. Server A Fedora basic install will normally have the ssh server preinstalled. However, just incase it is not, here is the way to install it. yum install openssh-server The default configuration form the Fedora repositories will work. However, there is at least one thing that could be changed to make the system more secure right from the start. Disabling root access remotely will make the system more secure. This is because of the fact that if some one does get into the system some how they at least will not have root access. Before making any changes to the configuration file, it is a good idea to make a quick backup. cp /etc/sshd_config /etc/sshd_config.orig. Open the file sshd_config with a text editor. Find the following line. PermitRootLogin yes Change the yes to no and save the file. Now start the ssh server with the following command Service sshd start Attempt to log in from a different computer to see if it works. Attempt to log in as root from a different computer and see it does not work. Client The Default fedora setup for the ssh client works just fine for a basic ssh server setup, like the one above. The syntax is even pretty basic, command options username @ address or IP. An example follows. ssh user@192.168.1.100 If you would like to be able to run graphical programs you need to use the -X option on the command as follows. ssh -X user@fubar.domain Either of these options will prompt for a password for the local account being accessed on the ssh server. Advanced This advanced section will cover using keys for authentication. With multiple ways the key logins can be performed, some will be covered. For more information on the key authentication options please visit Dave Aaldering’s SSH with Keys HOWTO Disabling the remote root login is still recommended. Client Key authentication will be faster to access once it is setup, however the process of setting up the keys may take some time. Please, show patience. The first obstacle is: can we log into the remote system? Let’s find out with using the basic client connection above. After a remote shell has been accessed please continue on. The second obstacle: generating a key. This should be simple and quick, however if you have older hardware it may take a minute. We need to get into the hidden ssh directory in the home directory with the following command: cd ~/.ssh Now we need to run the command to generate a long and extensive key with the following command: ssh-keygen –t dsa Enter the following name for the file when prompted authorized_keys When asked for a passphrase you could go wither way. If no passphrase is entered the no passphrase will be needed to access the system when all is said an done. If you enter a phrase here then you have made one more level to the security of the system. Either enter a passphrase or just hit enter, and re-enter the same way when asked. This may take a minute on slower hardware but should be over rather quickly for anyone running at least a 386 200MHz or better. The permissions on the file need to be set. The following command will give the correct permissions. chmod 600 authorized_keys The third obstacle: We need to get the newly created key to the ssh server. We are going to uses secure copy to do so. (Please see below for more on secure copy) This will insure the we are about to transmit does not end up in the wrong hands. scp authorized_keys username@host:~/ Now we need to connecet to the remote system using the basic password method. Once logged into the remote system we need to put the contents of the authorized_keys file we just copyed into the correct file here, however we need to make the directory and set permissions to do so. The following few command will do the trick. Make the directory only if needed. mkdir .ssh Setting the permissions of the .ssh dirrecoty. chmod 700 .ssh Adding the content of the key into the current one on this system. This command will make the file if it is not there as well. cat authorized_keys >> ~/.ssh/authorized_keys To set the permissions on the file chmod 600 ~/.ssh/authorized_keys The only thing left to do is logout of the remote system, and attempt to login with just the key. Unless a passphrase was provided, no password will be required. However, if a passphrase was provided, then it will be requested upon connecting. Server First thing needed to do when setting up access via key authentication is to realize that the Fedora version of openssh is preconfigured to accept the key authentication. However once this is setup on the client end, it maybe a good idea to disable the password authentication on the server end. Warning: Before attempting to disable the password authentication be sure some other access method is available. Rather it be working key authentication or even physical access. Open the file /etc/ssh/sshd_server and find the line: PasswordAuthentication yes Change the yes to no. Save the file and restart the sshd service with the following: service sshd restart Secure Copy Secure copy is one way to send a file or multiple files from one system to another through an encrypted tunnel. All data is encrypted and relatively safe compared to most data transfers. This method does require a user name and password for both systems. Secure copy is really useful for backups or any data transfers that need to be encrypted. It can be used in a shell script easily and when combined with cron could make for an automatic back up system that is rather secure. Using secure copy is rather easy once you under stand the syntax that is uses. Syntax: scp options path/file username@host:path The explanation: scp it the program so it will always come first, then a space to separate the command from every thing else. Next we have the options. The numerous options can be over whelming but the most common one is –r recursive copy for entire directories. Then a space to separate the options from the augments. Next is the path and or file name. This is for the file or directory name that is to be copied. An example of which is: /var/ftp After another space to separate the arguments. The username is the user's name on the remote system. The @ is the separator for the user name and the host. The host could be an IP address or name of the system provided by DNS. Next we have the : the colon is used to separate the host from the path on the remote host. This is rather common notation for remote paths. The path after the colon is the path on the remote system. For a full example: Local file = /home/joe/picture.jpeg Remote host = 192.168.1.100 Remote user name = joe Remote path to be copied to = /home/joe/ scp /home/joe/picture.jpeg joe@192.168.1.100:/home/joe/ The program would ask for Joe’s password on the remote system and then copy the file. For coping the entire directory of /home/joe to the remote system the following would work. scp -r /home/joe joe@192.168.1.100:/home/joe Note: ~ can be used in place of the full path for a home directory. Example: scp ~/picture.jpeg joe@192.168.1.100:~/ is the same as scp /home/joe/picture.jpeg joe@192.168.1.100:/home/joe/ This simple notation can reduce the amount of typing needed as you can see. However, if Joe's home directory on the remote system was not /home/joe using the ~ would ensure that the file goes to the home directory no matter what it is set to. Secure FTP Secure FTP works be default on Fedora The command is sftp and the syntax is just like ssh sftp User@address